e0efc867eeb0a7367b8d60f215631652c4f7e86be964c25c697f1240738ba302

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
Size

5.5MB
MD5

26e8f47f120d9acbba85c8dc825a07d3
SHA1

dc0c552363c2426f10810141d7195452f4ecc70a
SHA256

e0efc867eeb0a7367b8d60f215631652c4f7e86be964c25c697f1240738ba302
SHA512

5990b5eea1253d6466010ee8ce3b393580b2628c1817492d3a5ca533f541299c3c6392fab171eff7c225878738b8a457c8a8f8fce2ae787b48534835e8f20738
SSDEEP

98304:KJYj2fjWTrgBTzBdLB/35mCckFR+vicS43:AU6yTEBv1B33FR+6c

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x0007000000012119-11.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
2840	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2840	2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2840	2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2840	2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2840	2820	26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

Filesize
5.5MB

MD5
70df69169e52646b9aad4ba9f5bd5935

SHA1
05ed5a6124e7f739107b529adb1311697569ce35

SHA256
5aa4558a489e9bc3894e1c4e50373b58dd4ad697d54b076753d32c3da9fc163e

SHA512
da6b8982442db39268f0d0aa21eb7197f8bc6330fe8f9592b10db6b2671ad2c94accde2899e0eaacbb33f8b5b3da539268dfa304822f5a57faa4f90c6ce44cd8

Download Submit
memory/2820-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2820-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2820-7-0x00000000021E0000-0x000000000243A000-memory.dmp

Filesize
2.4MB

Download
memory/2820-15-0x0000000004380000-0x0000000004D1E000-memory.dmp

Filesize
9.6MB

Download
memory/2820-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2820-43-0x0000000004380000-0x0000000004D1E000-memory.dmp

Filesize
9.6MB

Download
memory/2840-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2840-18-0x0000000002220000-0x000000000247A000-memory.dmp

Filesize
2.4MB

Download
memory/2840-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download